Improper Neutralization of Special Elements in Data Query Logic in Flowise - CVE-2026-41274
Published: April 20, 2026
Vulnerability identifier: #VU126602
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-41274
CWE-ID: CWE-943
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: FlowiseAI
Affected software:
Flowise
Flowise
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary cypher commands on the underlying Neo4j database.
The vulnerability exists due to improper neutralization of special elements in data query logic in the GraphCypherQAChain run method when handling user-supplied input through the prediction endpoint. A remote user can send a specially crafted request to execute arbitrary cypher commands on the underlying Neo4j database.
Exploitation requires a chatflow that includes the Graph Cypher QA Chain node and is connected to a Neo4j Graph node with valid credentials.
How to mitigate CVE-2026-41274
Install security update from vendor's website.